Domain email: SSL and TLS certificate issues

americanintel · Feb 21, 2010

I've searched all over the forums but can't get my mind wrapped around this one.

I have several domains on a server. One, lonestarlandservices.com, has an SSL for that domain. Now typically I've setup MX records for mail.lonestarlandservices.com but without a second cert that won't work. So I simply added a second MX record for lonestarlandservices.com and will eventually do away with mail.lonestarlandservices.com.

I'm trying to transition all of the email users to SSL/TLS for POP3 on port 995 and STARTTLS on SMTP over port 587 for that particular domain.

When I send/receive Thunderbird is complaining about an invalid cert...basically it's seeing a localhost type cert that I suspect is the exim.cert/exim.key files.

Now, I've read the thread at http://directadmin.com/forum/showthread.php?t=27796 and I should be able to deal with dovecot by doing this:

ssl_cert_file = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.cert
ssl_key_file = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.key
ssl_ca_file = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.cacert

But even with this I don't think Dovecot will handle multiple domains accordingly will it? Version 2.0+ seems to if I read it correctly.

but if I'm reading correctly exim doesn't have a way to deal with domain by domain ssl certs for SMTP mail.

The SSL cert is working fine for https requests via browser but the email is kicking my arse.

What do I need to do to get email clients using my cert for lonestarlandservices.com? Is the only workaround getting a cert for the server domain and forcing domain to use that if they want secure connections or???

americanintel · Feb 21, 2010

Now if I do this in dovecot.conf:

## Dovecot 1.1 configuration file

protocols = imap imaps pop3 pop3s

#ssl_cert_file = /etc/exim.cert
#ssl_key_file = /etc/exim.key
ssl_cert_file = /etc/httpd/conf/ssl.crt/server.crt
ssl_key_file = /etc/httpd/conf/ssl.key/server.key
ssl_cert_file = /usr/local/directadmin/data/users/landuser/domains/lonestarlandservices.com.cert
ssl_key_file = /usr/local/directadmin/data/users/landuser/domains/lonestarlandservices.com.key
ssl_ca_file = /usr/local/directadmin/data/users/landuser/domains/lonestarlandservices.com.cacert

It will make lonestarlandservices.com POP3 users happy but if I try with another domain it wants to use the lonestar cert....without another cert to try I don't know if this will work when I add another 3 lines for that particular domain...will it?

Still, I have an exim/smtp ssl issue until someone can enlighten me otherwise.

Thanks,

americanintel · Feb 21, 2010

Trying to work my way through this....

exim.conf's TLS section is as follows:

# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# SSL/TLS cert and key
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *
#auth_over_tls_hosts = *
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

So... my assumption is that IF I bought a cert for the server, instead of just a particular domain.... I would point the tls_certificate and _privatekey to that particular file.

The only drawback is that I'll have to change/add the MX records for any domains that want to use SSL/TLS on this server.....about 30 of them. But at least I'd have a cert for my server I guess....

americanintel · Feb 21, 2010

americanintel said:
Now if I do this in dovecot.conf:

## Dovecot 1.1 configuration file

protocols = imap imaps pop3 pop3s

#ssl_cert_file = /etc/exim.cert
#ssl_key_file = /etc/exim.key
ssl_cert_file = /etc/httpd/conf/ssl.crt/server.crt
ssl_key_file = /etc/httpd/conf/ssl.key/server.key
ssl_cert_file = /usr/local/directadmin/data/users/landuser/domains/lonestarlandservices.com.cert
ssl_key_file = /usr/local/directadmin/data/users/landuser/domains/lonestarlandservices.com.key
ssl_ca_file = /usr/local/directadmin/data/users/landuser/domains/lonestarlandservices.com.cacert

It will make lonestarlandservices.com POP3 users happy but if I try with another domain it wants to use the lonestar cert....without another cert to try I don't know if this will work when I add another 3 lines for that particular domain...will it?

Still, I have an exim/smtp ssl issue until someone can enlighten me otherwise.

Thanks,

Nope... if I add another 3 lines for a second domain after installing the cert then when Thunderbird checks email it will refer to the last lines.....so lonestarlandservices.com email pulls up my new domain's cert..... so that won't work for multi domain ssl email.

Now I'm wondering about my server SSL too as I have server.domain.com and if I go buy a cert for server.domain.com and it's IP is shared by several other domains on the server then that won't work either... or will it?

What's the best way to skin this cat?

scsi · Feb 22, 2010

It explains how to do multiple ssl certificates here:

http://wiki.dovecot.org/SSL/DovecotConfiguration

Multiple SSL certificates (v2.0+)

americanintel · Feb 22, 2010

Yeah.. I read that but we are on 1.2 AND while that helps with POP3 it doesn't help with SMTP via Exim....unless I'm missing something.

I did a chain cert on exim and that fixed that but I would like to use SSL for other domains and right now I'm limited to one domain as it stands.

scsi · Feb 22, 2010

Multi ssl probably doesnt support 1.1

For exim you can ask on their mailing list.

Domain email: SSL and TLS certificate issues

americanintel

Verified User

americanintel

Verified User

americanintel

Verified User

americanintel

Verified User

scsi

Verified User

americanintel

Verified User

scsi

Verified User